IoT devices continue to make headlines for their innovation and as new holiday gifts, with millions of new devices being sold weekly. But with the proliferation of these new devices comes a sobering reality: they are introducing new threats daily. There is real and present danger here, and it will only get worse. While we have experienced devices being compromised and taken over in the past because of their vulnerabilities, the challenge now goes beyond the virtual world to the physical world where we all live and work.
In October many of us woke up to the DDoS attack on Dyn. We have since learned this is not the first time hackers have compromised connected devices and focused their collective capabilities on a single target. While the DDoS attacks were certainly an inconvenience to the sites taken offline and to customers trying to access them, no significant material damage resulted. Yet, what is concerning is that the amplification and magnitude of these attacks have increased every time. Clearly this is an example of tradition warfare, testing defenses and resiliency of infrastructure. This has merely been a “shot across the bow.”
The security challenges are complex and comprised of three dimensions: the device, the supporting applications, and the backend/cloud services. Those factors, and the diverse supply chain of each, means every facet and data layer is a potential risk. Each needs to be secured across multiple layers—as does the flow of data among them. Unfortunately all too many devices are not developed with a security-by-design mentality and are shipped insecure.
The reasons for insecure IoT involve more market failure than technical complexity. Unfortunately, in all too many cases industry has prioritized features and time-to-market over security. Others have failed to recognize and prioritize the need for support over the life of the product. Meanwhile consumers and businesses unknowingly buy these devices without knowledge of their impact on privacy, identity and personal security.
So what can be done? In mid-November the U.S. House of Representatives Committee on Energy & Commerce hosted a hearing on Understanding the Role of Connected Devices in Cyber Attacks. The testimony from the Online Trust Alliance (OTA) was conclusive: the damages will be real and we cannot wait. Devices are being sold and shipped insecure by default, while others have no life-cycle plan in place to manage threat and vulnerabilities in the future. Bruce Schneier, a noted security expert who also testified at the hearing, called for the formation of a new governmental agency to certify and enforce security basics. Others, including OTA, called for incentives for device manufactures to address core security and data privacy concerns and for retailers to pull insecure products from their shelves.
Unfortunately, government has been of little help. Agencies appear to be jockeying for leadership while trade organizations and NGOs focus their own respective “slice of the pie.”
For the past 18 months the Online Trust Alliance has convened multiple multi-stakeholder efforts and developed a comprehensive set of principles to help address the top security, privacy and associated life-cycle issues for the Internet of Things. While recognizing that perfect is the enemy of good, these principles provide prescriptive and actionable advice. Designed not only for device manufactures and developers, they should be used by every organization as a form of risk assessment for the devices within their organization. While many organizations recognize the importance of evaluations for their networking architecture and industrial controls, similar evaluations are needed for all devices, from the TV in the boardroom to the connected coffee pot in the break room. As these devices become connected to the corporate network they become a proxy for harm and organizations need to put in place processes to manage them. Insecure devices should be removed and devices found to be orphaned and no longer supported should be taken off-line.
Going forward, OTA is working with several organizations to drive an IoT certification model, but in the mean time we all must carefully evaluate these products on our own. To learn more visit https://otalliance.org/IoT. If you are attending the RSA Conference in February, be sure to join the panel on IoT Insecurity including Bruce Schneier, Olaf Kolkman of the Internet Society, and myself on February 15th at 8 a.m.